IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Bob Harold <rharolde@umich.edu> Wed, 01 February 2017 21:09 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B993B12957F for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 13:09:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSLYPGXl6bqb for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 13:09:26 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE160126FDC for <dnsop@ietf.org>; Wed, 1 Feb 2017 13:09:25 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id v200so75106460ywc.3 for <dnsop@ietf.org>; Wed, 01 Feb 2017 13:09:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6ne1NEYTbkOZ5w9vgC8/6bPiDJn4aSwMXn72XAqEBQs=; b=M8jLIbVAkN7bte3oLQxvLXZIewvbP80iU2fT4GyYnetGZQKmOqrOvfXfpt3wn9Oxdo cViC4IoRYyIS2+6tRlWv83CvoOQXo56jYUtPf9v25BvpV74Sy9Q9rSEhqAa1DvBPW6XY obPidTUbg9KeuTVBKw0p3qQuh1HoDBioJVoYhy9lzlIC2Cj7snrCpbM+UvOwzY35GveB pOAUwbxxfk6+0y5is14P8ZlawI3gDTDXz9NRVMbeNLkwyJGshglurzoMBCen7NdgY/56 s1vMWacUDa08PRq/BMXYoMJIBXidZexSS5SEAKKIwpngc0oYHs4jAM9CI1T/fC/u50th eQ5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6ne1NEYTbkOZ5w9vgC8/6bPiDJn4aSwMXn72XAqEBQs=; b=mon+yfNPc4j2TcGE5sZObN2L6bfqXQ+jq6Uv27UCdl610x81OH+/gfbSQW2+Eww9hg nu1PBXG9KltAA6NXwTNrUT5jRJNhXX4Yd+HDEw7S6/rD9WpGHQpUocgpo/S74dA/LUzZ 2008hPnJABtvMLXBTeZ7UvaS0bLK/5O/rgDN8f5n7959aTRJS5EQyof2mhK2Gp3vsOsR tBbkceU6vTKDMVz2lkpRdvgQaBwiN0Efk/0NXHE88M6BjVoh6JbscYWU22w8UHDyRSWQ PsgNotH0F1yAaHppPxcNY+ewqPZxfuCGjJ3VFG461PmfI+Tn1Sg8Pa+egpP1ax4+4uMH bdyg==
X-Gm-Message-State: AIkVDXKBFrBrZkdB8dxD34F+BCW/vol2gmiUh48PB/4rjDwXY4bM5ut+FWNiOZYBuaXxwo7HTddo8zNUgOcitW1y
X-Received: by 10.129.81.12 with SMTP id f12mr3310355ywb.80.1485983364896; Wed, 01 Feb 2017 13:09:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.237.68 with HTTP; Wed, 1 Feb 2017 13:09:24 -0800 (PST)
In-Reply-To: <1B8E640B-C38E-4B76-A73D-7178491A9D7B@fugue.com>
References: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com> <CA+nkc8AhLe7nbPRkGixi93SGNZQhw+TACUDa8=pGsWM5YHJE0w@mail.gmail.com> <C75FC005-ED38-436B-A93E-C2D2B7CDDE9C@gmail.com> <1B8E640B-C38E-4B76-A73D-7178491A9D7B@fugue.com>
From: Bob Harold <rharolde@umich.edu>
Date: Wed, 01 Feb 2017 16:09:24 -0500
Message-ID: <CA+nkc8DwZpnZr3k0XwEz80=_ofnti8XCsyiWQZvU4qAw7XB1SA@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Content-Type: multipart/alternative; boundary="001a114630189bb40c05477e7674"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OEFlIJfelTgGrIM-utEAaTHLpc0>
Cc: dnsop <dnsop@ietf.org>, Ralph Droms <rdroms.ietf@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 21:09:27 -0000

On Wed, Feb 1, 2017 at 3:58 PM, Ted Lemon <mellon@fugue.com> wrote:

> On Feb 1, 2017, at 3:50 PM, Ralph Droms <rdroms.ietf@gmail.com> wrote:
>
> It appears to me that requesting an insecure delegation is the right thing
> to do, as a "technical use".  We have, so far, been very careful in what we
> ask for.  If ICANN does not agree, then we can discuss other options.
>
>
> I agree.
>
>
> I'm confused.   The .ALT TLD is expected to be used for non-DNS name
> lookups.   So isn't a secure denial of existence exactly what we want for
> .ALT?   What is the utility in having an un-signed delegation?
>
> As I understand it, the idea is that if someone incorrectly looks up a
.alt name in DNS, we want an answer that causes the requester and recursive
resolver to not ask again, both to reduce traffic to the roots, and to
minimize leakage of information.  If querying 'something.alt', a delegation
would be cached at the '.alt' level, but an NXDOMAIN would be cached as
'something.alt', and 'other.alt' would not be covered.

-- 
Bob Harold

v2.23.0 | Report a Bug | By Email